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Abstract. An alternative quantum algorithm for the discrete logarithm prob- 
lem is presented. The algorithm uses two quantum registers and two Fourier 
transforms whereas Shor's algorithm requires three registers and four Fourier 
transforms. A crucial ingredient of the algorithm is a quantum state that needs 
to be constructed before we can perform the computation. After one copy of 
this state is created, the algorithm can be executed arbitrarily many times. 



1. Introduction 

In 1994, Peter Shor described an efficient, polynomial time, quantum algorithm 
for the discrete logarithm problem jTj. Shor's protocol is based on the period find- 
ing capability of quantum computers and its initial version was a probabilistic 
algorithm. Following this work, several authors have presented exact versions of 
Shor's algorithm QJIS], based on the method of 'amplitude amplification'. 

Here we present an alternative algorithm for the discrete logarithm. The algo- 
rithm requires the preprocessing of a state that is specific for the group G and its 
generator g for which we want to calculate the discrete logarithm. The size of this 
'chi state' is log \G\ qubits and it can be created efficiently with zero error proba- 
bility. The actual discrete logarithm algorithm is more efficient than Shor's version 
and because the chi state can be reused indefinitely, we can view the production 
of it as a form of 'preprocessing' that is especially worthwhile if we intend to solve 
many instances of the discrete logarithm problem for a fixed group. Provided that 
we have a perfect version of the chi state and we can perform the quantum Fourier 
transform over Z/mZ (with m the order of the group G) exactly, the algorithm 
presented here is deterministic. Furthermore it is possible to perfectly copy the x 
state, hence after one quantum computer has produced the state, other computers 
can acquire the state with at no extra cost. Typically, G would be the multiplicative 
'mod n' group (Z/nZ) x with <p(n) — m, but the algorithm works for every cyclic 
group G. 

The reader is referred to [S| for an introduction in the theory of quantum compu- 
tation. Throughout the text we assume that we can perform the quantum Fourier 
transform over the additive group Z/mZ exactly; see [H] for when and how this can 
be done. 
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2. The Algorithm 

Let G be the multiplicative group of order m generated by g such that G = 
{g x ,g 2 , ■ ■ ■ ,g m — 1}. For a fixed g, the discrete logarithm problem is to determine 
the power p £ Z/mZ of a given element g p € G (we use the notation log g (<? p ) := p). 
Throughout the article we assume that the order m is known. 

As mentioned in the introduction, the algorithm consists of two parts: the pre- 
processing of a 'chi state' and the actual algorithm, which can be executed arbitrar- 
ily many times on one copy of the chi state. Before we describe these two parts of 
the algorithm, we will define some of its ingredients, which are also used in Shor's 
algorithm. 

Fourier transform: For the additive group Z/mZ the quantum Fourier trans- 
form F, which is a unitary operation, is defined by 

1 m—l 

for all x e Z/mZ and £ m := e 27n / m . How to efficiently implement the 
Fourier transform in circuits of size poly (log m) is explained in, for example, 
[2]. For which m we can implement F exactly and how is discussed in, for 
example, j5J. 

Division operator: We assume that multiplication and division in G can be 
done efficiently (in time poly(logm)), and hence using repeated powering 
x i— ► x 2 i— ► x A ■ ■ ■ , we can efficiently calculate any power x r for — m < r < m. 
This shows that the following two reversible 'division operators' can be 
implemented efficiently as well: 

D a :\x,y) .— > \x,y/x a ), 
D x :\a,y) i — > \a,y/x a ), 

for all x,y € G and a € Z/rraZ. 

We are now ready to describe the two parts of the quantum algorithm. First, 
in t l2.ll we will define the 'chi state', which is crucial for the algorithm. We will 
mention some of its properties and show the state can be prepared in an efficient 
way. After that, in H2.2I the actual algorithm will be given. 

2.1. The Chi State, Its Properties and Its Preparation. Given g and the 
group G, define the chi state by 

m—l 

We use the symbol x f° r this state because its phase values Cm are the values of the 
multiplicative character x : G ^ C with x(g r ) := Cm f° r au r G Z/mZ and hence 
with x( x y) = x( x )x(y)- For every a € Z/mZ we also define the a-th power of the 
chi state by 

m — l 

IX") := ^^Cml/)- 

Note that |x°) is the uniform superposition of the elements of G. 
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Using the D a operation chi states can be copied to arbitrary \ a states. It is 
straightforward to check that if we apply a D a operation to a state |g s )|x) we will 
induce the phase change \g s ,x) l— ¥ (m\9 s >x)- Hence, if we apply D a to a uniform 
superposition of G and a %-state, we obtain a new x" state without losing the 
original |x): 

JL^I^IX) _> \ X «)\ X ). 

In general we have in fact the mapping D a : |x^)lx 7 ) *~ > \x l3+ai )\x y ) ■ Under the 
assumption that it is easy to create the uniform superposition |x ), we thus see 
that we can efficiently create arbitrary \x a ) states, as soon as we have an initial 
state |x). To create the first chi state, we use the following zero error procedure. 

Chi State Preparation Algorithm: Let g be the generator of the group G — 
{g,g 2 ,...,g m =g° = l}. 

(1) Initialize two log to qubit registers to |0, 0) and apply the Fourier transform 
over Z/mZ to the left one. Next, calculate in the right register powers g r 
where the exponent r is read from the left register. This step gives the 
transformation 

m— 1 

|0,0) — £| r , 5 ^ 

(2) Apply the Fourier transform over Z/mZ to the first register: 

1 m — 1 1 rn — 1 

V TO ^— ' TO ^-^ 

iVote that this state equals J2 S I s ' X s ) /V™- 

(3) Measure the s-register. If gcd(s, to) 7^ 1. go bacJc to step 1 and repeat the 
protocol. Otherwise, continue with the state |s,x s ). 

(4) Clear the s register and replace it with the uniform superposition of ele- 
ments of G such that we obtain the state |x°7X s )- 

(5) Apply Z)^/ 5 ' (as l/s :— s _1 is well-defined in Z/toZJ, such that we get the 
transformation |x°,x s ) l— * Ix 1 ?^)- Remove the right register, yielding |x). 

All steps in the above algorithm can be done in time poly (log to). The probability 
that the observed s in Step 1 is co-prime with to is cj>(rn)/m, which is lower bounded 
by f2(l/ log(logr?T,)). Hence the expected number of times that we have to repeat 
the algorithm until we reach Step 4 is 0(log(log to)). In all, and assuming that we 
can perform the Fourier transform exactly, this shows that this algorithm produces 
the state \x) with zero error probability and has expected running time poly (log to). 
Using amplitude amplification pQ and knowledge about <fi(m) we could make this 
algorithm exact, but because we need to prepare |x) only once, we do not bother. 
(Note again that copying the x-state via the operation D 1 : |x°,x) l— * \x>x) ^ s 
deterministic and more simple than the just described chi preparation algorithm.) 

2.2. Using the Chi State for the Discrete Logarithm Problem. The crucial 
property of the chi state that we will use in the logarithm algorithm is its phase 
changing behavior when we apply D x to it. Given an element x = g p G G, the D x 
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transform on \a) and |x) has the following effect (which is shown with the help of 
the equality £ r C m \g r /9 pa ) = E r C p+r |<f »: 

D x :\a)\ X ) — > CV)|x>, 

withp :— log 9 (a;). This 'multiplicative phase kick-back trick' (cf. [2] for the additive 
version) is used to calculate log g x in the following algorithm. 

Discrete Logarithm Algorithm: Given the generator g, a state \x) and the 
input value x = g p , perform the following 3 steps. 

(1) Create a uniform superposition of a's by applying the Fourier transform 
over Z/mZ to 0: 

m — 1 

(2) With the x state as the second register, apply the D x transform to this 
superposition, giving: 

1 m — 1 rn — 1 

(3) -Recover the logarithm p by applying an inverse Fourier transform (over 
Z/mZ) to the first register, yielding the final state | log fl (x))|x)- 

The complexity of the algorithm consists of two Fourier transforms over Z/mZ 
and one implementation of D x , which can all be done in time poly(logm). If these 
transformations are performed perfectly and the state \ is exact, then the above 
algorithm finds the discrete logarithm log ff (x) with probability 1. Note also that 
the chi state did not get destroyed in the computation, and hence can be reused. 

3. Discussion 

The two log to qubit registers and two Fourier transforms over Z/mZ of the 
above algorithm are improvements over the exact version of Shor's algorithm, as 
described in p], which requires three quantum registers of log to qubits and four 
Fourier transforms. Also the 'exactness' of this algorithm is more straightforward 
as we did not need to use amplitude amplification 1 to suppress the errors. 

If we allow measurements with classical interactions during the computation, 
we can use the semi-classical Fourier transform over Z/2 fc Z |S1 to reduce the size 
of the first register to one coherent qubit. By taking k w logm, the above algo- 
rithm gives a probabilistic procedure with log to measurements during its Fourier 
transform, while the standard semi-classical discrete logarithm algorithm requires 
2 log to measurements 0|- 

Acknowledgements. I would like to thank Andrew Childs and Mike Mosca for their 
comments on an earlier version of this article. This work is supported in part by 
funds provided by the U.S. Department of Energy (DOE) and cooperative research 
agreement DF-FC02-94ER40818, and by a CMI postdoctoral fellowship. 



QUANTUM COMPUTING DISCRETE LOGARITHMS. 



5 



References 

[1] Gillcs Brassard and Peter H0yer, "An exact quantum polynomial-time algorithm for Simon's 

problem", Proceedings of Fifth Israeli Symposium on Theory of Computing and Systems 

(ISTCS'97), pages 12-23 (1997); arXiv:quant-ph/9704027 
[2] Richard Cleve, Artur Ekert, Chiara Macchiavello, and Michele Mosca, "Quantum algorithms 

revisited", Proceedings of the Royal Society of London A, Volume 454, pages 339—354 (1998); 

arXiv:quant-ph/9708016 
[3] Robert B. Griffiths and Chi-Sheng Niu, "Semiclassical Fourier Transform for Quantum 

Computation", Physical Review Letters, Volume 76, pages 3228-3231 (1996); arXiv:quant- 

ph/9511007 

[4] Michele Mosca and Artur Ekert, "The hidden subgroup problem and eigenvalue estimation on 
a quantum computer" , Proceedings of the 1st NASA International Conference on Quantum 
Computing and Quantum Communication, Lecture Notes in Computer Science 1509 (1999); 
arXiv:quant-ph/9903071 

[5] Michele Mosca and Christoph Zalka, "Exact quantum Fourier transforms and discrete loga- 
rithm algorithms", to be published in proceedings of EQIS'03; arXiv:quant-ph/0301093 

[6] Michael A. Nielsen and Isaac L. Chuang, Quantum Computation and Quantum Information, 
Cambridge University Press (2000) 

[7] Peter W. Shor, "Algorithms for Quantum Computation: Discrete Logarithms and Factor- 
ing", SIAM Journal on Computing, Volume 26:5, pages 1484-1509 (1997); arXiv:quant- 
ph/9508027 

Massachusetts Institute of Technology, Center, for Theoretical Physics, 77 Mas- 
sachusetts Avenue, Cambridge, MA 02139-4307, USA 
E-mail address: vandamOmit . edu 



